I have 2 asa5505's. I have created a site to site vpn tunnel using two local networks. (ex. 192.168.1.0 & 192.1689.2.0).
I then tried to make another set of local ip's (ex. 192.168.3.0 & 192.168.4.0) use the same tunnel group, same external endpoints. One set of ip's is for data and the other for ip phones. Vlan 1 is not being used, vlan 2 is inside interface, vlan 3 is outside interface, and vlan 4 is the 2nd interface named phones. The first data networks are working fine, but the phones ip data is not flowing. I can not ping the other side. I set vlan 4 to not foward to interface vlan 2 and set the security to 100 on both ends. These are two independent local networks that don't need to talk to each other. Is there a reason anyone can think of why this wouldn't work?
Change the following on the remote side
global (inside) 1 interface to global (outside) 1 interface. This will Pat the inside
hosts to the outside for internet access.
Yes, "show crypto ipsec sa" will show you the statistics for each ACL line that you have configured for your crypto ACL. It will show how many packets have been encrypted and decrypted per ACL subnet pair.
Depending on how the phone subnet is connected on the ASA.
If your phone subnet is connected on a separate interface on the ASA (for example: an interface that you have named "phones"), then you would need to create a new access-list and assign it to the "phones" interface.
access-list phones-nonat permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0
nat (phones) 0 access-list phones-nonat
On the other hand, if the phone subnet is connected to the ASA via the inside interface, ie: phone subnet is routed via the inside interface of the ASA, then you only need to add the line to the existing ACL on the inside interface.
Currently the inside NAT statement says "nat (inside) 0 access-list 101", and all you need to add is another line to ACL 101 as follows:
access-list 101 permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0
Here is a sample configuration with 2 internal interfaces (inside and dmz) for site-to-site vpn tunnel for your reference:
From the sample configuration, it is using the same ACL NoNAT for both inside and dmz interfaces. I would recommend that you create a different ACL for the NAT statement for each interface instead of using the same ACL on both interfaces.
Hope that helps.